- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schose
Builder
01-06-2021
09:51 AM
Hi all,
I'm trying to ingest data using a lookup like descripted in:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/IngestLookups
props.conf:
[ilookuptest]
TRANSFORMS-a = ilookuptest1
TRANSFORMS-b = ilookuptest2
transforms.conf:
[ilookuptest1]
INGEST_EVAL = pod="testpod1"
[ilookuptest2]
INGEST_EVAL= annotation=lookup("testlookup.csv", json_object("pod","pod"), json_array("annotation"))
lookup testlookup.csv:
pod,annotation
testpod1,testannotation1
testpod2,testannotation2
testpod1,testannotation1
testpod2,testannotation2
ingest data using:
curl -k http://192.168.208.5:8088/services/collector -H 'Authorization: Splunk f05eedbb-a706-427e-9606-baa3e8036411' -d '{"index": "test", "sourcetype": "ilookuptest", "event":"this is for testing ingest eval lookup12"}
props.conf and transforms.conf are located at $SPLUNK_HOME/etc/system/local .. lookup at $SPLUNK_HOME/etc/system/lookups .
I'm getting errors in splunkd.log:
WARN CsvDataProvider - No valid lookup table file found for this lookup=testlookup
ERROR CsvDataProvider - The lookup table 'testlookup' does not exist or is not available.
ERROR pipeline - Runtime exception in pipeline=typing processor=regexreplacement error='Invalid function argument' confkey='source::http:test|host::192.168.208.5:8088|ilookuptest|'
ERROR pipeline - Uncaught exception in pipeline execution (regexreplacement) - getting next event
ERROR pipeline - Uncaught exception in pipeline execution (regexreplacement) - getting next event
The event is not indexed...
When defining transforms.conf
INGEST_EVAL= annotation=lookup("testlookup", json_object("pod","pod"), json_array("annotation"))
INGEST_EVAL= annotation=lookup("testlookup", json_object("pod","pod"), json_array("annotation"))
I'm getting errors in splunkd.log:
WARN CsvDataProvider - Unable to find filename property for lookup=testlookup.csv will attempt to use implicit filename.
Event is indexed but not getting the value from the lookup.
File is there, read permissions are set, "| inputlookup testlookup.csv" is displaying results.
Any hints or a working INGEST_EVAL using lookups example?
Best Regards,
Andreas
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schose
Builder
01-12-2021
07:35 AM
a working transforms.conf:
[ilookuptest1]
INGEST_EVAL = pod="testpod1"
[ilookuptest2]
INGEST_EVAL= annotation=json_extract(lookup("testlookup.csv",json_object("pod",pod), json_array(annotation)),"annotation")
message:
WARN CsvDataProvider - Unable to find filename property for lookup=testlookup.csv will attempt to use implicit filename.
still there, but working.
still there, but working.
Regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schose
Builder
01-12-2021
07:35 AM
a working transforms.conf:
[ilookuptest1]
INGEST_EVAL = pod="testpod1"
[ilookuptest2]
INGEST_EVAL= annotation=json_extract(lookup("testlookup.csv",json_object("pod",pod), json_array(annotation)),"annotation")
message:
WARN CsvDataProvider - Unable to find filename property for lookup=testlookup.csv will attempt to use implicit filename.
still there, but working.
still there, but working.
Regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tah7004
Path Finder
02-02-2021
09:16 AM
Hi, do you know what made it work for you? I get the same WARN message, but not the error and I think my configuration is similar. I tried placing the lookup file in both the app and system/lookup directory on my indexers.
